Data Storage Security: Securing the Physical Data Center

While many storage admins worry the most about network security, the physical security of data is also essential.

We know that your data center’s network security is important to you. How important is your data center’s physical security?

The data in corporate and co-location data centers is easily doubling and tripling in size. Cisco projects that the amount of incoming and stored data stored in the data center is currently approaching 3ZB (as in zetabytes) and will triple by 2017. That is a lot of data to secure.

And the data center is not only handling a lot more data, it’s also handling more infrastructure then it ever did. New technology is converging servers, fabric and storage in on-premise and cloud computing infrastructures.

Growing data and computing convergence mean that data centers, to use a technical term, are popping at the seams. IT spends a lot of time securing these high volume installations network attacks. They should: whole hacker communities exist to attack data center network security.

But what about physical security? This does not seem nearly as important to many data center administrators. When the corporate data center is located deep inside an office building, chances are that black-hat data extraction teams aren’t going to be swinging in any time soon.

Yet data centers are in fact under physical threat. Physical intrusion is simple to do by playing the part of a cleaning employee or computer technician. Employee mistakes or malice are common. Natural disasters can wreak havoc; so can energy-related issues.

You may not need to secure a U.S. embassy’s data center in troubled territory. But you should secure your own data center against a variety of physical threats, and make certain that your co-location provider does. This is particularly important with businesses sending more and more data onto the cloud. That data is stored in a physical location.

Has your provider secured it against all manner of threats?

A good way to tell is to make sure your provider’s data center is in regulatory compliance with network and physical security requirements. SSAE-16 and its granddaddy SAS 70 are standard compliance audits along with FISMA or FEDRAMP for government-related data centers.

Depending on the audit’s level and your particular industry, the audits will test compliance with regulations like PCI DSS, GLBA (Gramm-Leach Bliley Act), HIPAA and SOX. The audits cover physical security as well as digital security and business practices.

What are the Threats and Why Should I Worry?

Physical threats to data centers cross a gamut of unpleasant possibilities. Most of them fall into one of three major classifications: natural disasters, physical intrusion, and energy issues.

Data centers should be located as far away from active disaster threats as possible. This does not mean you must build a data center across the country from your HQ, or contract with a data center provider many states away from your IT staff. For example, RagingFire wanted to build close enough to its co-location customers in the Bay Area although the region is seismically active. They built instead in less quake-prone Sacramento, inland of San Francisco and not too far for customer IT to visit.

Energy

We don’t often think of energy in terms of a physical threat to data centers. Yet energy problems are far more frequent than are natural disasters, and we should learn to think about them in terms of securing the data center.

Part of the reason for the disconnect between energy and security is that corporate IT and Facilities remain stubbornly separate on energy costs and concerns. IT tends to think that energy usage is not their problem, but it is – if your cooling fails then your storage systems fry.

· Cooling You may not be as fortunate as Iron Mountain, whose secure Pennsylvania facility is built into natural caverns and cooled by piped water from their underground lake. Modern technology can approximate this environment by pumping chilled water beneath a data center’s raised floors. Higher ceilings will keep warm air rising to the top instead of coiled around your equipment.

· Power grid If you build your data center near a metro area that is running out of juice – goodbye to expansion plans. There is a reason that new data center development is happening away from large metro areas, with suburban communities serving as the local workforce. Progressive rural or suburban communities are taking advantage of cheap power and land to attract data center construction. For example, Virginia has developed its aptly named Data Center Alley in Loudoun County. Land, a local workforce, high bandwidth, and enlightened utility companies are changing the economy by courting large data center builds.

· Network Operations Center (NOC) monitoring It’s a very good plan to host a NOC monitoring system and the personnel to watch them. Systems should include monitoring data center fires (obviously), humidity (not so obviously), power, outside weather, and internal temperature.

· 24x7 Backup Power While we are on the subject of power, make sure that your uninterruptible power supply (UPS) or generator is working, and will work long enough for repairs, orderly system shutdown, or evacuation.

Physical Intrusion

Does it happen? Not like the Mission Impossible movies but it does happen. London has experienced more than its share: burglars broke into a Verizon data center, tied up employees and stole equipment. A year earlier another burglary occurred at a Level 3 co-location center.

Also, a cup of coffee in a data center can be as dangerous as a gun. Don’t leave your data center wide open to unwanted visitors or careless staff.

· Good door locks Dead simple? Yes, and all too often ignored in the data center. If there is a lock it’s easily sprung with a simple plastic card. Good door locks don’t exactly cost the world; invest in them for your data center’s sensitive areas. And invest in area alarms while you’re at it.

· Challenge every visitor The practice of “tailgating” is one of the easiest ways to intrude into a data center. One data center security consultant gained entry to a NOC by posing as a hardware salesman who was carrying a tray of food. Although the data center was protected by biometrics, IT staff simply opened the door for him and the food. Other intruders simply follow in employees. To look innocent they either talked on their cell phone or were on crutches. The employees held the secure door open for them.

· Secure checks on employees The very easiest way to gain access to a data center is by getting on that data center’s staff. Run security checks at hiring and at least once a year thereafter. More frequently is even better, especially at co-location data centers that are in charge of big volumes of customer data.

· Hardened exterior Foot-thick walls will protect a free-standing data center from physical attack and from a lot of natural disasters. Foot-thick walls with double exterior security doors and ballistics-proof windows will protect you even better.

· Protect all access via electronic Access Control Systems (ACS) Biometrics are becoming more common in sensitive data centers. These systems include palm and fingerprint readers, and the spy movie-staple iris recognition. Two-factor authentication with access cards and passwords are the next level down, and simple access cards complete the electronic ACS picture.

· 24x7 surveillance and security teams Highly secure facilities invest in internal and external security cameras. Do not go cheap with simple fixed cameras: thieves who know what they’re doing—or who are just lucky – will stay out of direct view. PTZ (fixed and pan, tilt, zoom) digital recording cameras will do the trick.

Additional security layers include crash barriers, land perimeter protection and vegetation maintenance, a man trap (it’s like an airlock), cages for sensitive equipment, and a threat conditions policy.

Companies spend multi-millions of dollars on network security. Yet if an attacker, disaster, or energy shortage takes down your data center then what was it all for? Don’t leave your data center gaping open, and make very sure that your data center provider isn’t either.

Christine Taylor is a well-known technology journalist and industry-watcher.